GDPR Legislation impact on Behavioural Retargeting
How is the discipline of Behavioural Retargeting impacted by the GDPR legislation and the lack of a legal framework for data transfers between the EU and US?
Please reach out to the previous article of The Marketing Analyst to firstly understand the legal framework of the GDPR.
What does Behavioural Retargeting mean?
Behavioral retargeting (also known as remarketing) is a form of online targeted advertising by which the advertising is targeted to consumers based on their previous browsing behaviour. This behaviour is traditionally tracked by the use of marketing pixels (tracking scripts installed by the website owner) and third-party cookies (to display advertisements on other domains).
There are many ad exchanges that enable these kinds of targeting. The most well-known are Google Ad Manager, Google Display & Video 360, Facebook Ads Manager, Microsoft Advertising, The Trade Desk, Xandr, etc.
Consent needed?
Since with behavioural retargeting you share data of your website visitors with a third party (the advertising platform), it is clear that the only lawful bases can be consent. An identifier is sent (usually a cookie id or a hashed e-mail address) in combination with behavioural data. And regardless of whether you interpret a cookie ID as personal data or not, the fact that you are sharing the data with a third party to build up targeting profiles, means you have to be extra cautious. Therefore, we recommend never firing ad pixels until the proper permission has been obtained.
This is also explicitly mentioned in the User Consent Policy of Google Ads:
“You must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area.”
Data transfers
The discussion around data transfers within a real-time bidding context is challenging. The current way AdTech works is complex and it is a tangle of too many different parties exchanging data. It is impossible to communicate this in a transparent and understandable way to a visitor of your website.
Moreover, almost all major players in this market are American vendors. In recent years, due to strict regulations, we have seen many European start-ups in the AdTech space. However, they do not yet succeed in generating sufficient volume to be able to replace the Googles and Facebooks of this world. When it comes to behavioural targeting, volume and match rate are the most important criteria.
Our advice
Within the current context, it is difficult — and perhaps impossible — for website publishers and real-time bidding companies to meet the GDPR’s transparency and security requirements. It is clear that a drastic change in the technology (for example Google’s proposal for “Topics” — a contextual based targeting mechanism) or more clarification from legislators is needed for publishers to advertise with a clear conscience.
So again, we recommend that organisations think carefully about why they are using behavioural retargeting and what type of data they are sharing with these third parties. Be aware that uploading email addresses to an American AdTech platform (ex: Custom Audiences feature in Facebook Ads Manager) is a practice that is difficult to defend within the current legal framework. Even if you can demonstrate the necessary consent. Maybe you are better off with contextual targeting that does not depend on profiling and data exchanges.
European alternatives
For behavioural retargeting, we strongly recommend investigating the European alternatives. There is still a lot of uncertainty about whether or not these are entirely compliant with GDPR (just think of the condemnation of the IAB consent framework), but at least you will rule out the issue of trans-Atlantic data transfers.
The European DSP platforms that you might want to consider:
→ AdForm (headquarters in Copenhagen, Denmark)
→ Criteo (headquarters in Paris, France)
Last word
Please realise that the context in which we work today will continue to evolve. It is therefore important that you approach this topic from a strategic point of view and do not see it as a one-off thought exercise.
It is time to take responsibility when collecting data. However banal it may sometimes seem. Make sure you have the right knowledge of the technologies you use and stay abreast of new developments both legally and technologically.
We hope this article has given you the tools to have an informed discussion within your organisation. Other impacted disciplines of the GDPR legislation were discussed in the following links:
Does all this seem very challenging to you? Then do not hesitate to call on specialised parties. For example, deJuristen in case of the legal framework and Stitchd for the technical possibilities. They support many organisations, both large and small, specifically in this area.
